Security of Symmetric Encryption against Mass Surveillance Mihir Bellare1, Kenneth G. Paterson2, and Phillip Rogaway3 1 Dept. of Computer Science and Engineering, University of California San Diego, USA. cseweb.ucsd.edu/~mihir 2 Information Security Group, Royal Holloway, University of London, UK. www.isg.rhul.ac.uk/~kp 3 Dept. of Computer Science, University of California Davis, USA. www.cs.ucdavis.edu/~rogaway Abstract. Motivated by revelations concerning population-wide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithm-substitution attacks (ASAs), where a subverted encryption algorithm replaces the real one. We assume that the goal of \big brother" is undetectable subversion, meaning that ciphertexts produced by the subverted encryption algorithm should reveal plaintexts to big brother yet be indistinguishable to users from those produced by the real encryption scheme. We formalize security notions to capture this goal and then offer both attacks and defenses. In the first category we show that successful (from the point of view of big brother) ASAs may be mounted on a large class of common symmetric encryption schemes. In the second category we show how to design symmetric encryption schemes that avoid such attacks and meet our notion of security. The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not. Table of Contents 1 Introduction . .1 2 Preliminaries . .4 3 Subverting Encryption . .5 4 Mounting ASAs . .8 4.1 IV-replacement attacks . .8 4.2 The biased-ciphertext attack . 10 5 Defeating ASAs . 12 Acknowledgments . 15 References . 15 Appendices :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 17 A Subversion of Internet Symmetric Encryption Protocols . 17 B Asymmetric Subversion . 18 Security of Symmetric Encryption against Mass Surveillance 1 1 Introduction Overview. This paper is about the troubling possibility of mass surveillance by algorithm-substitution attack (ASA). Suppose that encryption scheme Π = (K; E; D) is to be implemented in closed-source software|think, for example, of implementing the CBC-AES encryption underlying the TLS record layer within Microsoft's Internet Explorer or Apple's Safari browsers, or in corresponding server-side code. An ASA replaces the executable code for the desired encryption algorithm E with, for example, the code of an NSA-authored alternative Ee. ASAs have been discussed before, under various names, in particular falling under the banner of kleptography. This prescient idea was developed by Young and Yung starting in the 1990s [51, 52]. While some cryptographers seem to have dismissed kleptography as far-fetched, recent revelations suggest this attitude to be na¨ıve [4]. ASAs may well be going on today, possibly on a massive scale. In this light we aim to provide a formal and practical treatment of ASAs, with a focus on symmetric encryption, an attractive target for real-world attacks. Building on, yet going further than, prior work, we fully and formally define security goals. We then come at ASAs from both ends, showing on the one hand how successful (from the point of view of big brother) ASAs may be mounted on standard schemes, and showing on the other hand how to design schemes that provably resist them. Our findings surface what we call the danger of choice: the trend towards flexibility and open-ended choices in protocols, often present for vendor flexibility or political compromise, works against us with regard to protection against ASAs, which are best defeated by stateful, deterministic encryption that curtails randomness and choice. Model and definitions. The real encryption algorithm E takes, as usual, user key K, message M, and associated data A. It returns a ciphertext C. The subverted algorithm Ee that substitutes for E takes the same inputs but also an additional, big-brother key, Ke. It also returns a ciphertext. With no restrictions on Ee, there would appear to be no hope of security, for Ee can fold K into the ciphertext, say encrypted under Ke, and big brother can use Ke to recover K. However, such an attack would be detected by users, who would see that ciphertexts fail to decrypt normally. Big brother aims to achieve compromise without detection: subverted ciphertexts should look like real ones, yet enable recovery of K or M. ASAs, in this view, live in a tension between detectability and success, the former working to curtail the latter. We will formally define metrics of both detectability and success. We will require that ciphertexts produced by Ee decrypt normally under the decryption algorithm D of the base scheme. This decryptability condition is the most basic form of undetectability. But we expect that big brother will aim to evade more sophisticated forms of detection. We formalize detection security as requiring that real and subverted ciphertexts are indistinguishable even to a test that knows some users' keys but does not know Ke. Success refers to big brother's ability to obtain knowledge about user data from subverted ciphertexts. Certainly an ASA allowing big brother to recover the user key K from any ciphertext is successful, but for positive results (defeating big brother) we want more. We formalize surveillance security as the requirement that big brother, even with its key Ke, cannot differentiate real ciphertexts from subverted ones. The duality between detection and surveillance security is reflected in our formalizations. Both require indistinguishability of real and subverted ciphertexts to an adversary, the difference being that in detection the adversary knows the user keys but not the big-brother key, and in surveillance it's the other way around. We remark that, in both cases, our formalizations are multi-user, meaning there are many users (but a single subverter). Mounting ASAs. We show that most symmetric encryption schemes succumb to damaging ASAs. Our attacks recover the user key K from subverted ciphertexts while remaining undetectable. These attacks apply to base schemes that are randomized and stateless. Building on [21], we first describe what 2 Bellare, Paterson, Rogaway we call IV-replacement attacks, where the initial vector in a blockcipher mode of operation is used to communicate to big brother an encryption under Ke of the user key K. Then we describe a more general ASA that we call the biased-ciphertext attack. This makes few assumptions on the structure of the base scheme and succeeds by creating ciphertexts that are not distributed quite like real ones. They are biased in a way that reveals bits of the user key to a holder of Ke, but we show that the bias is undetectable without knowledge of Ke. The difficulty here is showing undetectability even for tests that know the user key K, and for the analysis we prove an information-theoretic lemma about biased functions. Beyond presenting generic attacks we discuss how encryption in SSL/TLS, IPsec, and SSH can be subverted by these means. The conclusion is that randomized, stateless schemes, including deployed ones, invariably fall to even generic ASAs. Defeating ASAs. We aim to build symmetric encryption schemes that resist ASAs, meaning achieve surveillance security in the formal sense we define. Given the above, such schemes need to be stateful and deterministic. But not every such scheme works. The difficulty with provably achieving surveillance security is that standard security properties of the base scheme, such as its privacy or authenticity, are of no particular use towards the new goal. The reason is that these properties rely on the adversary not knowing the key K. But in the surveillance setting, the subverted ciphertexts are being created by an algorithm, Ee, that knows K, and can thus compromise privacy or authenticity to make subverted ciphertexts look different from real ones, and in a way useful to big brother. Nonetheless, we show that security is achievable by relying on combinatorial properties of the scheme. We define what it means for a base symmetric encryption scheme to have unique ciphertexts and then show that every unique- ciphertext scheme meeting the decryptability condition is secure against ASAs. This provides a strong anti-surveillance guarantee: no ASA will succeed in differentiating real from subverted ciphertexts, let alone recovering the message or a user's key. We show this assuming only minimal undetectability| decryptability, meaning that subverted ciphertexts must remain decryptable by the decryption algorithm of the base scheme. To realize concrete benefits from this general result, we need to find unique-ciphertext symmetric en- cryption schemes. Here we give a simple construction based on a variable-input-length PRP. We present a more practical result, showing how any nonce-based symmetric encryption scheme [40, 41] may be trans- formed into a unique ciphertext stateful deterministic scheme while preserving efficiency. Using existing nonce-based encryption schemes like CCM, GCM, or OCB, this yields practical designs of surveillance- resistant symmetric encryption. Asymmetric ASAs. For simplicity, our main definitions only capture the case in which big brother embeds a symmetric key Ke into subverted software. It is obviously useful to replace this with a public key, the corresponding secret key being held by big brother, so that reverse engineering of a subverted encryption algorithm will not confer the capabilities that big brother aims to keep to itself. The necessary definitional extensions, which are small, are described in Appendix B. Scope. Our paper is deliberately of restricted scope: we consider ASAs only for symmetric encryption schemes. In reality, encryption schemes are deployed as part of larger cryptographic protocols and these protocols will afford additional opportunities for algorithmic subversion. To pick one example, a protocol might involve the transmission of a nonce for authentication purposes during a key-exchange phase. This nonce could be chosen so as to directly leak an ensuing session key.